This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

Per request user authentication

Jan 21st, 2005, 04:13 AM

Hi,

I'm working on an application with the security requirements outlined below:

- User logs on
- For every request thereafter ensure user is logged on
- If user is logged on, allow user access to requested resource
- Else if user is not logged on, show login page, then after successful login, show them the previously requested resource.

Is there a Spring best practice way of doing this, or a way you've used you've found successful?
Regards,
Eliot

Comment

Yes, I'm very interested in trying Acegi out. I am working on an XP project at the moment and would like an interim quick-to-implement solution for this basic authentication requirement before tackling Acegi, which I appreciate you can take just the parts you need from, but there's still a learning curve there that me and my team mates could do with avoiding until a later iteration.

Comment

Yes, I'm very interested in trying Acegi out. I am working on an XP project at the moment and would like an interim quick-to-implement solution for this basic authentication requirement before tackling Acegi, which I appreciate you can take just the parts you need from, but there's still a learning curve there that me and my team mates could do with avoiding until a later iteration.

Just a little encouragement: Acegi Security can handle web request filtering with great ease, and as you don't need method security interception or access control list domain object instance security, you'd be using the simplest parts and it should only take a few hours to get up to speed on those parts. The Contacts sample application is suitable, as you just cut 'n' copy the XML to your own project (minus all the ACL and method security related beans, which are well-commented).

As someone else said, standard container security is probably best if you really need to get up to speed immediately, as web filtering is all it can actually handle. Having said that, before committing to it for a long-term direction, you might like to check the related FAQ entry at http://acegisecurity.sourceforge.net.